You complete most of the cluster configuration and customization after you deploy your OKD cluster. A number of configuration resources are available.

You modify the configuration resources to configure the major features of the cluster, such as the image registry, networking configuration, image build behavior, and the identity provider.

For current documentation of the settings that you control by using these resources, use the oc explain command, for example oc explain builds --api-version=config.openshift.io/v1

Cluster configuration resources

All cluster configuration resources are globally scoped (not namespaced) and named cluster.

Resource name Description


Provides API server configuration such as certificates and certificate authorities.


Controls the identity provider and authentication configuration for the cluster.


Controls default and enforced configuration for all builds on the cluster.


Configures the behavior of the web console interface, including the logout behavior.


Enables FeatureGates so that you can use Tech Preview features.


Configures how specific image registries should be treated (allowed, disallowed, insecure, CA details).


Configuration details related to routing such as the default domain for routes.


Configures identity providers and other behavior related to internal OAuth server flows.


Configures how projects are created including the project template.


Defines proxies to be used by components needing external network access. Note: not all components currently consume this value.


Configures scheduler behavior such as policies and default node selectors.

Operator configuration resources

These configuration resources are cluster-scoped instances, named cluster, which control the behavior of a specific component as owned by a particular Operator.

Resource name Description


Controls console appearance such as branding customizations


Configures internal image registry settings such as public routing, log levels, proxy settings, resource constraints, replica counts, and storage type.


Configures the Samples Operator to control which example image streams and templates are installed on the cluster.

Additional configuration resources

These configuration resources represent a single instance of a particular component. In some cases, you can request multiple instances by creating multiple instances of the resource. In other cases, the Operator can use only a specific resource instance name in a specific namespace. Reference the component-specific documentation for details on how and when you can create additional resource instances.

Resource name Instance name Namespace Description




Controls the Alertmanager deployment parameters.




Configures Ingress Operator behavior such as domain, number of replicas, certificates, and controller placement.

Informational Resources

You use these resources to retrieve information about the cluster. Do not edit these resources directly.

Resource name Instance name Description



In OKD 4.6, you must not customize the ClusterVersion resource for production clusters. Instead, follow the process to update a cluster.



You cannot modify the DNS settings for your cluster. You can view the DNS Operator status.



Configuration details allowing the cluster to interact with its cloud provider.



You cannot modify your cluster networking after installation. To customize your network, follow the process to customize networking during installation.

Updating the global cluster pull secret

You can update the global pull secret for your cluster by either replacing the current pull secret or appending a new pull secret.

The procedure is required when users use a separate registry to store images than the registry used during installation.

Cluster resources must adjust to the new pull secret, which can temporarily limit the usability of the cluster.

Updating the global pull secret will cause node reboots while the Machine Config Operator (MCO) syncs the changes.

  • You have access to the cluster as a user with the cluster-admin role.

  1. Optional: To append a new pull secret to the existing pull secret, complete the following steps:

    1. Enter the following command to download the pull secret:

      $ oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' ><pull_secret_location> (1)
      1 Provide the path to the pull secret file.
    2. Enter the following command to add the new pull secret:

      $ oc registry login --registry="<registry>" \ (1)
      --auth-basic="<username>:<password>" \ (2)
      --to=<pull_secret_location> (3)
      1 Provide the new registry. You can include multiple repositories within the same registry, for example: --registry="<registry/my-namespace/my-repository>".
      2 Provide the credentials of the new registry.
      3 Provide the path to the pull secret file.

      Alternatively, you can perform a manual update to the pull secret file.

  2. Enter the following command to update the global pull secret for your cluster:

    $ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull_secret_location> (1)
    1 Provide the path to the new pull secret file.

This update is rolled out to all nodes, which can take some time depending on the size of your cluster. During this time, nodes are drained and pods are rescheduled on the remaining nodes.